Bill Stacey definitely kicks arses. In his article he explains how SCT (SecureContextToken) works and how it can be used without installing X509 certificates. He also provides sample code. I haven’t played with it yet, but it seems to be the missing piece in the WSE architecture that many developers have been looking for it on microsoft.public.dotnet.framework.webservices.enhancements.